fotopasob.blogg.se - Windows 10 loader 2017

#Windows 10 loader 2017 windows 10#
#Windows 10 loader 2017 code#
#Windows 10 loader 2017 windows#

When work is available, the worker thread will call ntdll!LdrpWorkCallback which calls ntdll!LdrpProcessWork. Ntdll!LdrpWorkCallback is registered as the thread pool work callback function. Programs which execute in less than 30 seconds will appear to hang due to ntdll!TppWorkerThreadwaiting for the idle timeout before the process terminates. The worker thread idle timeout is set to 30 seconds. If LoaderThreads is 0, it will be set to the default value of 4 if the LoaderThreads is larger than 16, it is set to the max value of 16. Ntdll!LdrpEnableParallelLoading validates the number of worker threads to be between and creates a thread pool with one less than LoaderThreadsworkers threads since the master thread will also perform the work of loading DLLs. This data is an array of the first 16 bytes of each function copied by ntdll!LdrpCaptureCriticalThunks which is called near the start of ntdll!LdrpInitializeProcess. The first 16 bytes of these functions are compared to ntdll!LdrpThunkSignature. Hooks are detected by examining the first 16 bytes of the functions defined in ntdll!LdrpCriticalLoaderFunctions: If a hook is detected, ntdll!LdrpDetourExist is set to true and the thread pool is drained and released. Ntdll!LdrpEnableParallelLoading calls ntdll!LdrpDetectDetour to determine if the process being hooked.

#Windows 10 loader 2017 windows#

In order to mitigate against corrupting memory or compatibility issues, Windows detects if a process is hooked before enabling parallel loading.

#Windows 10 loader 2017 code#

There are a lot of hazards when it comes to parallel loading and code hooking.

#Windows 10 loader 2017 windows 10#

How Windows 10 Mitigates Parallel Loading Hazards One interesting thing to note is that kernel32.dll and kernelbase.dll are loaded even if the process does not require it.

ntdll!LdrpWorkQueueLock (CRITICAL_SECTION)įigure 2: Initializing the work queue structuresįigure 3: Creating the synchronization eventsĪfter ntdll loads kernel32.dll and kernelbase.dll are loaded, ntdll!LdrpEnableParallelLoading is called to set up the necessary events and worker pool.

Ntdll!LdrpInitParallelLoadingSupport and ntdll!LdrpCreateLoaderEvents are called to initialize the following structures: Threads created by the master thread in the thread pool will be referred to as worker threads. The initial thread in the process executing ntdll!LdrInitializeThunk will be referred to as the master thread. Interestingly, Windows 10 contains a default entry for chrome.exe with MaxLoaderThreads set to 1 to disable parallel loading.įigure 1: Querying the IFEO registry key for MaxLoaderThreads ntdll!LdrpInitializeExecutionOptions can further override the LoaderThreads field by querying the Image File Execution Options (IFEO) registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\MaxLoaderThreads.

The parent process defines the number of worker threads by defining in the PEB->ProcessParameters->LoaderThreads (ULONG) field. Windows 10 implements parallel loading by creating a thread pool of worker threads when the process initializes. How Windows 10 Implements Parallel Loading This feature decreases process startup times by using multiple threads to load libraries from disk into memory. One of the unnoticed improvements of Window 10 is the parallel library loading support in ntdll.dll.